Archive for the 'OpenBSD' Category

pfw install cookbook

Published on May 2, 2007 in cookbooks, OpenBSD, pfw and Tech. 2 Comments

OpenBSD 4.1

As of this writing, there is no pfw ISO available for the excellent pfw web-management product (www.allard.nu/pfw) for OpenBSD. We support this project.

Plus, the ISO doesn’t have things like compliers, ports tree, etc; and often we have other consulting to do and customizations we perform while installing OBSD in addition to just the pfw install, so we can’t always use the ISO.

So, something I’ve been meaning to do for a while is put together a cookbook for this – here goes.

  1. Log in as root.
  2. Set up your environment for installing packages from the web:

    export PKG_PATH=http://mirror.planetunix.net/pub/OpenBSD/4.1/packages/i386/

    Note that you should substitute your closest mirror (and possibly other machine architecture) in the above. YMMV.
    A couple of other mirrors that I use:
    http://openbsd.mirrors.tds.net/pub/OpenBSD/4.1/packages/i386/
    ftp://rt.fm/pub/OpenBSD/4.1/packages/i386/ (Gotta love the domain name!)

  3. Install some necessary packages:

    pkg_add mc bash wget

    You may add your own favorite choices here – curl, links, zsh, joe, nano, etc.

  4. set up bash (or your personal favorite) as your shell:

    chsh -s bash

  5. Remove the annoying “Terminal Type? [xterm]” query from the login sequence, by editing your dot-profile (/root/.profile) and commenting out or deleting the last three lines:

    # if [ -x /usr/bin/tset ]; then
    # eval `/usr/bin/tset -sQ \?$TERM`
    # fi

  6. Reboot and re-login as root. You should now have a bash shell prompt.

    Download the latest pfw and unpack it into /var/www/:

    wget http://www.allard.nu/pfw/download/pfw-latest.tgz
    cd /var/www/
    tar zxvf /root/pfw-latest.tgz

  7. Now add the php5 and sqlite packages:

    export PKG_PATH=http://mirror.planetunix.net/pub/OpenBSD/4.1/packages/i386/
    pkg_add php5-core sqlite php5-sqlite

    This will give you further instructions on checking the installation, and setting up PHP, SQLite, and Apache:

  8. PHP setup and checking:
    Copy the recommended PHP configuration file into the Apache configuration directory:

    cp /usr/local/share/examples/php5/php.ini-recommended /var/www/conf/php.ini

    Test that PHP has the SQLite module installed:

    php -i | grep -i sqlite

    This should show various SQLite parameters, etc.

    Enable the php5 aqnd php5-sqlite modules with:

    /usr/local/sbin/phpxs -s
    /usr/local/sbin/phpxs -a sqlite

    These should return with no errors.

  9. Boot setup
    Change to the /etc directory and edit your rc.conf using vi (or your favorite text editor) to allow non-chrooted Apache:

    cd /etc
    vi rc.conf

    And change the line that says:

    httpd_flags=NO # for normal use: “” (or “-DSSL” after reading ssl(8))

    to

    httpd_flags=”-u” # for normal use: “” (or “-DSSL” after reading ssl(8))

  10. SQLite setup and directory permission settings
    Change to the pfw directory and initialize SQLite:

    cd /var/www/pfw
    sqlite conf/config.db < docs/sql/sqlite.sql chown -R www:www conf

  11. Apache setup and config:
    Edit your Apache configuration file:

    cd /var/www/conf/
    vi httpd.conf

    and do three things:

    To enable parsing of PHP scripts, find the following line and uncomment it:

    AddType application/x-httpd-php .php

    To enable .php files to be execute by Apache’s PHP module, add index.php to the DirectoryIndex setting, so it looks something like this:

    DirectoryIndex index.html index.php

    Finally, add the pfw directory and alias:

    Alias /pfw “/var/www/pfw/web/”
    <Directory “/var/www/pfw/web”>
      AllowOverride None
      Order allow,deny
      Allow from 127.0.0.1 10.1
    </Directory>

    Note that the “10.1” is for testing on our own internal network – you will want to either add your own internal network here, or set up some other form of security, directory-based, or otherwise. Security considerations are beyond the scope of this cookbook, although there are resources listed below that can help you set this up.

  12. Sudo setup:
    Allow the pfw binaries to have the proper security with sudo – the preferred method is to use the visudo command, and add the following line to the text of the /etc/sudoers file:

    www ALL = NOPASSWD: /var/www/pfw/bin/*

    The non-preferred way, because it’s dangerous, and easy to typo somthing and render your sudo unusable, is to simply concatenate it to the end of the /etc/sudoers file manually:

    echo www ALL = NOPASSWD: /var/www/pfw/bin/* >>/etc/sudoers

    NOTE WELL: there are TWO greater-thans! using only one will remove your sudoers file!

  13. Reboot and try it out!

    lynx 127.0.0.1/pfw

    After allowing cookies (all), you should be able to surf to the various links and see the pfw pages, albeit in text mode.

    Happy hacking!

Resources:

  1. eRacks Open Source Systems can help with preinstalled OpenBSD hardware with pfw, consulting to set up firewall rules, security, digest authentication, and so forth.
  2. Allard consulting, author of the highly-rated pfw product.
  3. The OpenBSD easy packages method and mirrors list
  4. Security Architects can help with your security assessments, setting up firewall rules, and analysis of your overall site or enterprise security plan and strategy.
  5. The Libre Group provides Open-Source consulting, migration planning and assessments of Open-Source ROI and how to obtain the most immediate return on migrating your business to Open Source infrastructure, including desktops, laptops, servers, etc.